This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

One in Three SOC Analysts Now Job-Hunting

The more experienced a SOC analyst gets, the more his or her job satisfaction declines, a new survey of security operations center staffers shows.

Landing a job as an entry-level security operations center (SOC) analyst often provides a foot in the door to the cybersecurity field, but a new survey shows the more seasoned a SOC staffer gets, the more likely he or she will become disillusioned with the position.

New data from the Cyentia Institute's "Voice of the Analyst Study" of security operations center teams shows that while three in four SOC analysts are satisfied with their jobs, some 45% say the reality of the SOC isn't what they had expected. Some 70% of entry-level (one- to two years' experience) SOC analysts say their job meets their expectations, while just 43% of more experienced SOC analysts say so, according to the report, commissioned by SOC automation vendor Respond Software.

As one SOC analyst respondent quoted in the report explained, the novelty of a new SOC gig basically wears off after a while: "I was drawn to the SOC by misguided youthful ideals, which have been ground into a fine powder by years of poor management and lack of support from higher-ups."

The report, provided in advance of its publication to Dark Reading, also found that job dissatisfaction ranks 25% higher among experienced SOC staffers, and one in three SOC analysts overall is currently job-hunting for a position elsewhere. Of the 160 respondents, three-quarters are SOC analysts, 20% SOC managers, and 5%, engineers or project managers in the SOC.

Wade Baker, co-founder of The Cyentia Institute and an author of the report, says he had expected entry-level SOC analysts to be the most unhappy members of the SOC, not the seasoned ones. "It was counterintuitive to me. I thought the quintessential entry-level analysts feel less respected and maybe more dissatisfied. We found the opposite: the longer you're in the SOC and the more experience you have, dissatisfaction and things like that grow," Baker says.

SOC analysts say they were drawn to their positions for a new challenge, skills, more money, and as a way to make a difference, but those same incentives also are what's drawing them to leave their current jobs, according to the report. "If you want to keep them around, offering those same positives in-house is just as important as eliminating the negatives that drive them out," the report says. "Roughly 3 out of 4 point to a desire for more intellectually challenging work, the chance to learn new skills, and/or a chance to defend and help the business."

Change of SOCs

Entry-level, or Tier 1, SOC analyst positions are notoriously high burnout gigs. Sitting in front of a monitor and manually clicking through thousands of raw alerts from firewalls, IDS/IPS, SIEM, and endpoint tools, looking for that needle in a haystack, is at the same time both monotonous and stressful. Ignoring an alert tied to a real attack happens: just ask Target, which mistakenly dismissed alerts as false positive that flagged its massive breach in 2013.

SOC experts say the job of the entry-level SOC analyst gradually will be replaced with automation and orchestration technologies that streamline the traditionally manual, front-line role. The Tier 1 analyst position will evolve into a new more advanced role akin to the Tier 2 analyst, who triages flagged alerts.

"For me, the SOC of the future is having as much done automatically as possible" on the front lines, says Brett Wahlin, the former CISO at HP. The first level of human contact with the event data, a next-generation SOC Level 2 analyst, brings human analysis to the issue once it triggers a set threshold, for example. "It takes a human touch to see if you actually have got a bad guy or not," he says.

Today's Tier 1 SOC analyst job basically was born out of the mass of logs security tools produce, notes Josh Maberry, director of security operation at Critical Start, an MSSP. "The Tier 1 analyst was never supposed to be a manual-event job in the first place. It became that as a necessity because there weren't any automation and orchestration [tools] there yet," he says. "They [became] eye filters … So analysts began to drown. The whole thing became an events-to-bodies ratio."

It's those factors that have led to the high turnover in the SOC, experts say. The most time-consuming tasks in the SOC is monitoring, followed by intrusion analysis and shift operations handoff duties, according to the Cyentia SOC analyst survey. "The notion of monitoring taking a lot of time is not surprising," says Mike Armistead, co-founder and CEO of Respond Software, noting that monitoring earns a low value in the tasks SOC analysts want to be doing.

Shift operations also is considered a burden: that's when analysts receive feedback on their incident reports, or transfer information during the handoff of their shifts. "That's the place where tribal knowledge is transferred among people," he says, so if SOC analysts are unhappy with that process, it could be a red flag for the organization.

New data published today from a separate study by Advanced Threat Analytics (ATA) of 50 managed security services provides a glimpse at the volume of security alerts MSSPs face: nearly 45% say they see a 50% or higher rate of false positives, and 64% say it takes an average of 10 minutes or more to investigate each alert.

That volume of alerts forces SOC analysts of all levels to spend in some case smore than five hours a day investigating even false positives, according to that study. Alin Srivastava, president of ATA, says that distracts the MSSPs' SOC analysts from real threats and incidents.

According to Cyentia's SOC report, monitoring is the least likely task tied to catching an intruder, according to the SOC analysts in the survey. "You get the sense [from the survey] that they feel a lot of time is wasted on relatively low-value efforts," Cyentia's Baker says.

Automation can help eliminate the low-level, repetitive monitoring tasks that "require human fingers more than human brains," the report says. Threat hunting and forensics, meanwhile, require humans to handle that level of anlaysis.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Of course, SOC Analysis is a high burnout job. After 17 years in the cybersecurity field, directly and indirectly, the refusal to see security as a critical business process will burn out the most idealistic and enthusiastic practitioner. If the employee has to face dismissive administration on a daily basis, how do you think they'll react? I'm surprised that more insider threats don't come from the cybersecurity professionals after being treated like a leper for most of their careers. Our jobs aren't to make life harder for the users, but for the cybercriminals that take advantage of them. Somehow, through cultural pressure, the cybersecurity professional has become almost a derogatory term thanks to the lack of understanding from management perspectives. We have to lead up the chain of authority but we've become Sisyphus pushing the cybersecurity boulder up the hill for all eternity because it's not the easiest solution. We need support from our co-workers and especially our leadership to take security more seriously.

As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .